Date:   Sun, 10 Oct 2021 17:12:30 +0800
From:   Teng Qi <starmiku1207184332@...il.com>
To:     lorenzo.bianconi83@...il.com, jic23@...nel.org, lars@...afoo.de
Cc:     linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
        islituo@...il.com, baijiaju1990@...il.com,
        Teng Qi <starmiku1207184332@...il.com>,
        TOTE Robot <oslab@...nghua.edu.cn>
Subject: [PATCH] iio: imu: st_lsm6dsx: Fix an array overflow in st_lsm6dsx_set_odr()

The length of hw->settings->odr_table is 2 and ref_sensor->id is an enum
variable whose value is between 0 and 5.
However, the value ST_LSM6DSX_ID_MAX (i.e. 5) is not catched properly in
 switch (sensor->id) {

If ref_sensor->id is ST_LSM6DSX_ID_MAX, an array overflow will ocurrs in
function st_lsm6dsx_check_odr():
  odr_table = &sensor->hw->settings->odr_table[sensor->id];

and in function st_lsm6dsx_set_odr():
  reg = &hw->settings->odr_table[ref_sensor->id].reg;

To fix this possible array overflow, ref_sensor->id should be checked 
first. If it is greater than or equal to 2, the function
st_lsm6dsx_set_odr() returns -EINVAL.

Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@...il.com>
---
 drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
index db45f1fc0b81..edf5d33dd256 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -1308,6 +1308,10 @@ st_lsm6dsx_set_odr(struct st_lsm6dsx_sensor *sensor, u32 req_odr)
 		break;
 	}
 
+	if (ref_sensor->id >= 2) {
+		return -EINVAL;
+	}
+
 	if (req_odr > 0) {
 		err = st_lsm6dsx_check_odr(ref_sensor, req_odr, &val);
 		if (err < 0)
-- 
2.25.1

Powered by blists - more mailing lists